OpenSSH does not start after updatding to 21.7.5

Started by bongo, November 14, 2021, 01:08:49 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
November 14, 2021, 01:08:49 PM
today, i updated from 20.7.8 to 21.7.5.
all updates of the production release are installed now.
unfortunately, when looking at the dashboard, openssh keeps red and cannot be started.
i don't know if this will be a problem for me as i do not really know what for openssh is used in opnsense. i tried to start it, but when doing so, nothing happens and openssh keeps red.

do i need to care about this and if yes, what shall i do?

thanx for any help!
December 14, 2021, 02:49:51 PM #1
Hi Bongo,

I've seen the same issue in my installation and an upgrade to 21.7.6 didn't help.
It shows the following entry in the general log file:

Code Select
/usr/local/etc/rc.sshd: The command '/usr/bin/protect -i /usr/local/sbin/sshd' returned exit code '255', the output was 'Unsupported KEX algorithm "sntrup4591761x25519-sha512@tinyssh.org" /usr/local/etc/ssh/sshd_config line 14: Bad SSH2 KexAlgorithms 'diffie-hellman-group1-sha1,diffie-hellman-group14-sha1,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group-exchange-sha1,diffie-hellman-group-exchange-sha256,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,curve25519-sha256,curve25519-sha256@libssh.org,sntrup4591761x25519-sha512@tinyssh.org'.

Now to at least answer one of your questions:
As long as you don't want to log in into your firewall over a network, you won't even notice that openssh isn't running.
Most of the time I think that the web gui is pretty convenient and there's hardly need to start a remote (secure) shell. But still, I'd prefer to have openssh running.
December 14, 2021, 03:10:30 PM #2
Well, you need to adjust your SSH key exchange settings according to what OpenSSH now supports. We really don't recommend these overrides for portability, but people keep asking for and using them wondering why these are only provided reluctantly. ;)


Cheers,
Franco
December 15, 2021, 11:53:17 AM #3
Hi Franco,

thank you for the suggestion. I'm not aware to have changed something to override defaults (in this area), but at the same time, being pretty new to firewalls and especially opnsense, I have been doing guesswork to get things working the way I want.

Anyway, after some searching I've found System -> Settings -> Administration -> Key Exchange Algorithms which was configured to accept the entire list, except for the last entry.
After disabling all methods with "SHA1" in their names and saving, OpenSSH managed to start up again.

Note that disabling everything with SHA1 in their names is again a wild guess based on the fact that SHA1 isn't considered the most secure algorithm any more. It could be OK in combination with other things though. Sometimes wild guesses work :-)

Thank you again for the valuable hint!

Best regards,

Ronald
Print
Go Up Pages1
User actions